Unexpected Azure API calls indicating WAF policy disabled
Description
AlphaSOC detected that an Azure Web Application Firewall (WAF) policy was
disabled via
Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/write
operations with the state property set to Disabled. WAF policies protect web
applications from common attacks like SQL injection, cross-site scripting, and
other vulnerabilities. Adversaries may disable WAF rules to allow malicious
traffic through or facilitate web application attacks.
Impact
Disabling WAF protection exposes web applications to a wide range of attacks that would otherwise be blocked. This may enable exploitation of application vulnerabilities, data exfiltration through web interfaces, or injection attacks against backend systems. The change may indicate preparation for or execution of a web application attack.
Severity
| Severity | Condition |
|---|---|
Low | Unexpected action or ASN |
Medium | Two unexpected properties at the same time |
Investigation and Remediation
Review the WAF policy change and determine which applications are now unprotected. Verify the identity of the user who disabled the policy and confirm the action was authorized. Re-enable the WAF policy immediately if the change was unauthorized. Monitor web application logs for attack activity during the period WAF was disabled.
Known False Positives
- Temporary disabling during application troubleshooting
- Migration to alternative WAF solutions
- Testing scenarios requiring direct application access